amadey

General

Target

8302e0384a2f7b06170ba25affd3339c
Size

2.2MB
Sample

240104-2617esddek
MD5

8302e0384a2f7b06170ba25affd3339c
SHA1

3e0574188f19c0d681ddfed04c4115cbd267dcb3
SHA256

d3e4f5863b1d06e57ee98bc50998d0addd25b93f86bb7f6aed8f7fa7d656b830
SHA512

7fe0ce9451ebe9c76a33a1396ed7223ae93ef2d6c49ce6d424a2438edefaa271f41ca263b34399614212d2a7ad03b8bc3d995b230a331d502fabeb3201b12e15
SSDEEP

49152:cxaVL0eroz2R2hjRZoJjceYsTNL73ZGlGdVtO/wet/fwGBhsT:mlfzJ9RSRfhPdaYeFsT

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTrafic

C2

20.79.30.95:13856

Extracted

Family

redline

Botnet

@Pixelive

C2

195.20.16.103:20440

Extracted

Family

redline

Botnet

Legaa

C2

185.172.128.33:38294

Targets

- Target
  
  8302e0384a2f7b06170ba25affd3339c
- Size
  
  2.2MB
- MD5
  
  8302e0384a2f7b06170ba25affd3339c
- SHA1
  
  3e0574188f19c0d681ddfed04c4115cbd267dcb3
- SHA256
  
  d3e4f5863b1d06e57ee98bc50998d0addd25b93f86bb7f6aed8f7fa7d656b830
- SHA512
  
  7fe0ce9451ebe9c76a33a1396ed7223ae93ef2d6c49ce6d424a2438edefaa271f41ca263b34399614212d2a7ad03b8bc3d995b230a331d502fabeb3201b12e15
- SSDEEP
  
  49152:cxaVL0eroz2R2hjRZoJjceYsTNL73ZGlGdVtO/wet/fwGBhsT:mlfzJ9RSRfhPdaYeFsT
Score

10^/10

google collection discovery evasion persistence phishing spyware stealer trojan amadey redline @pixelive legaa livetrafic infostealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detected google phishing page
  phishing google
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2